kinit always specifies all available etypes in AS-REQ
Henry B. Hotz
hotz at jpl.nasa.gov
Mon May 24 13:13:38 EDT 2010
+1 as a desirable feature.
I have a specially-built kinit that reads the list of enctypes and modifies what's sent to the KDC accordingly. Other people have spoken up on this issue in the past.
On May 24, 2010, at 9:03 AM, krbdev-request at mit.edu wrote:
> Date: Mon, 24 May 2010 18:22:48 +0800
> From: Weijun Wang <Weijun.Wang at sun.com>
> Subject: kinit always specifies all available etypes in AS-REQ?
> To: krbdev at mit.edu
> Message-ID: <434A03D1-DB8E-4FDB-904E-899E1DC7BE47 at sun.com>
> Content-Type: text/plain; CHARSET=US-ASCII
>
> Hi All
>
> kinit can use a keytab file to request for a TGT. My keytab only includes keys for several etypes, but it seems kinit still includes all supported etypes in the AS-REQ message. When the KDC (Windows Server 2008) sends back the preauth challenge listing aes256-cts (which I don't have in my keytab) as the first etype in PA-ETYPE-INFO2, kinit fails saying --
>
> kinit: Key table entry not found while getting initial credentials
>
> If preauth is disabled, KDC simply sends back a TGT with session key encrypted with aes256-cts, and kinit shows the same error.
>
> Why can't kinit only specifies the etypes in the keytab at the beginning? Is this a feature or a bug?
>
> I'm using 1.7 on Ubuntu.
>
> Thanks
> Weijun
------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
More information about the krbdev
mailing list